Merge "Make more project level APIs scoped to project only"

Author: Zuul

nova/api/openstack/compute/server_groups.py

@@ -167,7 +167,7 @@ def index(self, req):
             # new defaults completly then we can remove the above check.
             # Until then, let's keep the old behaviour.
             context.can(sg_policies.POLICY_ROOT % 'index:all_projects',
-                        target={})
+                        target={'project_id': project_id})
             sgs = objects.InstanceGroupList.get_all(context)
         else:
             sgs = objects.InstanceGroupList.get_by_project_id(

nova/api/openstack/compute/server_topology.py

@@ -35,7 +35,8 @@ def index(self, req, server_id):
                     target={'project_id': instance.project_id})
 
         host_policy = (st_policies.BASE_POLICY_NAME % 'host:index')
-        show_host_info = context.can(host_policy, fatal=False)
+        show_host_info = context.can(host_policy,
+            target={'project_id': instance.project_id}, fatal=False)
 
         return self._get_numa_topology(context, instance, show_host_info)
 

nova/api/openstack/compute/volumes.py

@@ -506,6 +506,11 @@ def update(self, req, server_id, id, body):
         # different from the 'id' in the url path, or only swap is allowed by
         # the microversion, we should check the swap volume policy.
         # otherwise, check the volume update policy.
+        # NOTE(gmann) We pass empty target to policy enforcement. This API
+        # is called by cinder which does not have correct project_id where
+        # server belongs to. By passing the empty target, we make sure that
+        # we do not check the requester project_id and allow users with
+        # allowed role to perform the swap volume.
         if only_swap or id != volume_id:
             context.can(va_policies.POLICY_ROOT % 'swap', target={})
         else:

nova/policies/attach_interfaces.py

@@ -37,51 +37,51 @@
 attach_interfaces_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'list',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="List port interfaces attached to a server",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-interface'
             },
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="Show details of a port interface attached to a server",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-interface/{port_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'create',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Attach an interface to a server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/os-interface'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Detach an interface from a server",
         operations=[
             {
                 'method': 'DELETE',
                 'path': '/servers/{server_id}/os-interface/{port_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INTERFACES_POLICY)
 ]
 

nova/policies/floating_ips.py

@@ -38,7 +38,7 @@
 floating_ips_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'add',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Associate floating IPs to server. "
         " This API is deprecated.",
         operations=[
@@ -47,11 +47,11 @@
                 'path': '/servers/{server_id}/action (addFloatingIp)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'remove',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Disassociate floating IPs to server. "
         " This API is deprecated.",
         operations=[
@@ -60,55 +60,55 @@
                 'path': '/servers/{server_id}/action (removeFloatingIp)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="List floating IPs. This API is deprecated.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-floating-ips'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Create floating IPs. This API is deprecated.",
         operations=[
             {
                 'method': 'POST',
                 'path': '/os-floating-ips'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="Show floating IPs. This API is deprecated.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-floating-ips/{floating_ip_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Delete floating IPs. This API is deprecated.",
         operations=[
             {
                 'method': 'DELETE',
                 'path': '/os-floating-ips/{floating_ip_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
 ]
 

nova/policies/instance_actions.py

@@ -38,7 +38,7 @@
 instance_actions_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'events:details',
-        check_str=base.SYSTEM_READER,
+        check_str=base.PROJECT_ADMIN,
         description="""Add "details" key in action events for a server.
 
 This check is performed only after the check
@@ -56,10 +56,10 @@
                 'path': '/servers/{server_id}/os-instance-actions/{request_id}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'events',
-        check_str=base.SYSTEM_READER,
+        check_str=base.PROJECT_ADMIN,
         description="""Add events details in action details for a server.
 This check is performed only after the check
 os_compute_api:os-instance-actions:show passes. Beginning with Microversion
@@ -73,30 +73,30 @@
                 'path': '/servers/{server_id}/os-instance-actions/{request_id}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="""List actions for a server.""",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-instance-actions'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="""Show action details for a server.""",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-instance-actions/{request_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY),
 ]
 

nova/policies/ips.py

@@ -24,7 +24,7 @@
 ips_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="Show IP addresses details for a network label of a "
         " server",
         operations=[
@@ -33,18 +33,18 @@
                 'path': '/servers/{server_id}/ips/{network_label}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'index',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="List IP addresses that are assigned to a server",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/ips'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
 
 

nova/policies/networks.py

@@ -38,7 +38,7 @@
 networks_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'list',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="""List networks for the project.
 
 This API is proxy calls to the Network service. This is deprecated.""",
@@ -48,11 +48,11 @@
                 'path': '/os-networks'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="""Show network details.
 
 This API is proxy calls to the Network service. This is deprecated.""",
@@ -62,7 +62,7 @@
                 'path': '/os-networks/{network_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
 ]
 

nova/policies/quota_sets.py

@@ -24,15 +24,15 @@
 quota_sets_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Update the quotas",
         operations=[
             {
                 'method': 'PUT',
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'defaults',
         check_str=base.RULE_ANY,
@@ -46,37 +46,46 @@
         scope_types=['system', 'project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        # TODO(gmann): Until we have domain admin or so to get other project's
+        # data, allow admin role(with scope check it will be project admin) to
+        # get other project quota. We cannot use PROJECT_ADMIN here as
+        # project_id passed in request url is used as policy targets which
+        # would not match with context's project_id fetched for rule
+        # PROJECT_ADMIN check.
+        check_str='(' + base.PROJECT_READER + ') or role:admin',
         description="Show a quota",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Revert quotas to defaults",
         operations=[
             {
                 'method': 'DELETE',
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'detail',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        # TODO(gmann): Until we have domain admin or so to get other project's
+        # data, allow admin role(with scope check it will be project admin) to
+        # get other project quota.
+        check_str='(' + base.PROJECT_READER + ') or role:admin',
         description="Show the detail of quota",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-quota-sets/{tenant_id}/detail'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]